Srizbi Botnet Re-Emerges Despite Security Firm's Efforts

In the fallout resulting from knocking McColo Corp. offline, this past week may prove to be a missed opportunity in the prevention of a dramatic reappearance of junk e-mail, as a botnet that once controlled 40 percent of the world's spam apparently has found a new home.

The botnet Srizbi was knocked offline Nov. 11 along with Web-hosting firm McColo, which Internet security experts say hosted machines that controlled the flow of 75 percent of the world's spam. One security firm, FireEye, thought it had found a way to prevent the botnet from coming back online by registering domain names it thought Srizbi was likely to target. But when that approach became too costly for the firm, they had to abandon their efforts.

"This cost us a lot of money. We engaged all the right people. In the end, it comes back to the fact that there wasn't a process in place to do what we were trying to do," said Alex Lanstein, senior researcher at FireEye. "The day after we stopped registering the domains, the bad guys started picking them up."

According to FireEye, Srizbi was the only botnet operating through McColo that had a backup plan in case their master control servers were ever unplugged: The malware contained a mathematical algorithm that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors.

Shortly after McColo was taken offline, researchers at FireEye said they deciphered the instructions that told computers infected with Srizbi which domains to seek out. FireEye researchers thought this presented a unique opportunity: If they could figure out what those rescue domains would be going forward, anyone could register or otherwise set aside those domains to prevent the Srizbi authors from regaining control over their massive herd of infected machines.

In addition, by registering the domains, FireEye, a startup, could gain valuable intelligence, such as where the individual bots were located and how many there were. The problem, FireEye quickly found, was that each variant was designed to seek out a different set of four rescue domains every 72 hours. To make matters worse, the company identified more than 50 variants of Srizbi in circulation, impacting 500,000 systems. Those that were deficient or ill-programmed in some way controlled fewer victims -- anywhere from a few hundred to a few thousand computers. The more virulent strains of Srizbi, however, controlled upward of 50,000 systems, FireEye found.

That meant that to prevent the Srizbi authors from regaining control over their herd, FireEye would have to register more than 450 domains each week just to stay a step ahead of the bad guys. But each domain name registered costs money. FireEye spent $4,000 buying up future domains that might be sought by stranded Srizbi bots.

FireEye researchers thought that with that kind of firepower at their fingertips, they could have instructed each of the infected systems to uninstall the bot program. But the FireEye researchers surmised that such an action would not only be illegal but that commanding all of the bots to uninstall their infectious code would run the risk of doing serious damage to the systems. Srizbi, like most other sophisticated botnet programs these days, hooks into systems at a fundamental level, and removing it occasionally causes an infected system to stop working altogether.

"We could tell these bots to uninstall themselves from most of the machines, and the whole process would probably take a few seconds," Lanstein said. "But even if it were legal to do this, what would happen if removing the malicious software messes up some of these machines even worse?"

Srizbi had already shown it was fully capable of resurrecting itself. Joe Stewart, director of malware research for Atlanta-based SecureWorks, has documented how the Srizbi botnet's built-in rescue system can bring a lost herd of hacked computers back into the fold.

In October 2007, a massive blast of spam was sent through the Srizbi botnet promoting U.S. presidential candidate and libertarian Ron Paul. SecureWorks found that the control servers used by Srizbi for that spam run were all located at McColo, and reported the location of those servers to the now defunct hosting provider. Stewart said McColo responded by changing the Internet addresses of those control servers, which was enough to strand all of the bots seeking new instructions. When the backup mechanism in the bots caused them to search for new Web site names a few days later, the criminals who controlled the network were able to regain control over it by registering those Web site names.

A week ago, FireEye researcher Lanstein said they were looking for someone else to register the domain names that the Srizbi bots might try to contact to revive themselves. He said they approached other companies such as VeriSign Inc. and Microsoft Corp. After FireEye abandoned its efforts, some other members of the computer security community said they reached out for help from the United States Computer Emergency Readiness Team, or US-CERT, a partnership between the Department of Homeland Security and the private sector to combat cypersecurity threats.

Officials at US-CERT, however, have not responded to e-mails and phone calls requesting an interview about this story.

If others had gotten involved, there were a couple scenarios that could have played out. One was for an ISP or registrar to gain clearance to "sinkhole" all of the Srizbi bots, essentially tying them up eternally by pretending to have the instructions the bots were seeking but never quite giving those bots the complete answer. The other was for an accredited registrar to register all of the domains sought by the Srizbi variants.

Ultimately, the FireEye researchers, under pressure from their managers to stop incurring expenses for registering the domains stopped their efforts Nov. 24. According to FireEye, sometime on Nov. 25, unknown individuals in Russia apparently registered the remaining domains, thereby regaining control over the world's largest spam botnet.

It's a shame the likes of Google, Microsoft or any other number of Net giants didn't seize this opportunity.

I mean really, whats several thousands of dollars to either of those two? When you consider the obvious effect which was felt globally with this bot out of action, it's a disgrace they couldn't step up.

This does not compute. Since the domains were known in advance, why doesn't the issuing agency simply put a hold on them -- by not allowing any registrars to register them? Are you implying that ICANN was in collusion with the Russian spammers? Or perhaps the DHS here had set up McColo as a honeypot to trap them? In that case, why hasn't anyone been trapped?

For that matter, how come we've never seen any information about who registered McColo as a Delaware corporation? Surely that has to be publicly available information. This whole thing smells.

It never eases to amaze me when I see all these comments about "So and so should step-up" and "This organization should take charge" and the like. Seems that in no small part everyone ass-u-me-ing that it is someone else's job to make sure their computer system is "secure" is at the root of much of this problem.

Every time we seek to cede responsibility to others we also cede a bit of control.

It's unclear from the article whether Microsoft, Google, or for that matter anyone other than the IT department at FireEye knew that the botnet could be shut down in this way. Sure, a few grand is chump change for the big guys, but if they don't know about it in the first place that doesn't matter, does it?

I agree with pj48 that this really is a federal law enforcement or even defense function. Rather than spending $3T invading the wrong country, they could actually do our security some good, for a mere pittance.

I should also say that even if the federal U.S. government stepped in, the spammers, malware creators and identity thefts would not stop. Considering the scope of the problem, they have to do what they can do that is economically feasible. In this case it is a no brainer.

Interesting comment about Obama's incoming tech czar. I would think creating a working international arrangement, and an arrangement with several top security companies would be among the major priorities. If not, it should be.

This is off topic, but appropriate for your column. Please STOP THE FLOATING ADS that cover the text of the article. I am currently looking at a blue rectangle that asks me if I want to participate in a survey - I DON'T! It appears on every article in today's WAPO and has done so over the past week. I don't click on boxes I don't know anything about, I just close the window. I CAN'T CLOSE THIS WINDOW except by clicking on the RED circled X. Who knows what could lead me to! I consider this a security issue and reload the page as many times as it takes to be free of this annoyance, or just skip the article. Please pass it on to whomever is responsible for these miserable intrusions.